Kibana Safety Launch | Traefik Vulnerability

0
17


On this week’s digest, we’ll talk about:

  • a Kibana safety launch;
  • a vulnerability in Traefik managing TLS connections; and
  • a weak randomness in Webcrypto Keygen on NodeJS

Kibana Safety Launch

Kind Confusion: This system allocates or initializes a useful resource similar to a pointer, object, or variable utilizing one kind, but it surely later accesses that useful resource utilizing a sort that’s incompatible with the unique kind. – MITRE definition

CVSSv3.1: NIST – 8.8 (Excessive) | CVE ID: CVE-2022-1364

7.17.8, 8.5.0 Safety Replace: A sort confusion vulnerability was found within the headless Chromium browser that Kibana depends on for its reporting capabilities. This problem impacts solely on-premises Kibana situations on host working programs the place the Chromium sandbox is disabled (solely CentOS, Debian). This problem doesn’t have an effect on Elastic Cloud, because the Chromium sandbox is enabled by default and can’t be disabled. This problem additionally doesn’t have an effect on Elastic Cloud Enterprise.

Kibana Security Release Mitigation Chart

Vulnerability in Traefik Managing TLS Connections

CVSSv3.1: 

  • NIST – 6.6 (Medium)
  • CNA (Github) – 8.1 (Excessive)

CVE ID: CVE-2022-46153

Traefik is a contemporary HTTP reverse proxy and cargo balancer. It integrates along with your current infrastructure parts (Docker, Swarm mode, Kubernetes, Marathon, Consul, Etcd, Rancher, Amazon ECS) and configures itself robotically and dynamically. 

In affected variations, there’s a potential vulnerability in Traefik managing TLS connections. A router configured with a not well-formatted TLSOption is uncovered with an empty TLSOption. As an example, a route secured utilizing an mTLS connection set with a mistaken CA file is uncovered with out verifying the shopper certificates. Customers are suggested to improve to model 2.9.6. 

Patch: https://github.com/traefik/traefik/releases/tag/v2.9.6

Customers unable to improve ought to verify their logs to detect the next error messages and repair the TLS choices instantly:

Empty CA:

{"degree":"error","msg":"invalid clientAuthType: RequireAndVerifyClientCert, CAFiles is required","routerName":"Router0@file"}

Dangerous CA content material (or dangerous path):

{"degree":"error","msg":"invalid certificates(s) content material","routerName":"Router0@file"}

Unknown Consumer Auth Kind:

{"degree":"error","msg":"unknown shopper auth kind "FooClientAuthType"","routerName":"Router0@file"}

Invalid cipherSuites: 

{"degree":"error","msg":"invalid CipherSuite: foobar","routerName":"Router0@file"}

Invalid curvePreferences:

{"degree":"error","msg":"invalid CurveID in curvePreferences: foobar","routerName":"Router0@file"}

Weak Randomness in Webcrypto Keygen on NodeJS

CWE-338: Use of Cryptographically Weak Pseudo-Random Quantity Generator (PRNG). The product makes use of a Pseudo-Random Quantity Generator (PRNG) in a safety context, however the PRNG’s algorithm shouldn’t be cryptographically sturdy.

CVSSv3.1: NIST – 9.1 (Important) | CVE ID: CVE-2022-35255

A vulnerability launched in NodeJS v15.0.0 was found by a contributor on HackerOne through which https://github.com/nodejs/node/pull/35093 launched a name to EntropySource() in SecretKeyGenTraits::DoKeyGen() in src/crypto/crypto_keygen.cc. There are two issues with this:

  1. Node.js made calls to EntropySource() in SecretKeyGenTraits::DoKeyGen(). Nevertheless, it doesn’t verify the return worth and assumes the EntropySource() at all times succeeds, however it could possibly and typically will fail.
  2. The random knowledge returned byEntropySource() might not be cryptographically sturdy and due to this fact not appropriate as keying materials.

General, this flaw permits a distant attacker to decrypt delicate data.

Patch: https://nodejs.org/en/weblog/vulnerability/september-2022-security-releases/#weak-randomness-in-webcrypto-keygen-high-cve-2022-35255

LEAVE A REPLY

Please enter your comment!
Please enter your name here